Dropbox Forks Out $300 000 to Find 264 Vulnerabilities

Dropbox participated in a HackerOne hosted bug hunt with participants from ten countries around the world, finding over 264 vulnerabilities in its platform.

HackerOne hosted a one-day bug hunt in Singapore to expose vulnerabilities for Dropbox. The popular cloud service provider was given a list of 264 vulnerabilities that hackers had identified. Some of the bugs were found on the day itself, and some were found beforehand.

The live event saw the security company fly in 45 of its members from all over the world. Participants came from a diverse list of countries including Japan, Hong Kong, Sweden, and India. The youngest of the 45 man bug hunting crew was 19 who flew in from the United States.

Dropbox had given HackerOne the scope of the attack sometime earlier so that the security outfit would be able to prep its members. Members of the outfit were soon identifying dozens of bugs days before the invitational was scheduled to happen.

One of the main reasons Dropbox decided to make use of the security group was due to its recent acquisition of HelloSign. HelloSign is a digital workflow program. Dropbox is a company with a long-standing tradition of offering bug bounties. Its program has matured as the company has risen from its humble beginnings as a startup. A company spokesperson further commented that Dropbox’s process for reviewing bugs reported by initiatives such as this is very well defined.

The company considers offering bug bounties as a key aspect of infosec within all companies and encourages others to follow in their footsteps. The initiative with HackerOne is just an expansion of their own program, meant to help the company find more bugs faster. The diverse skill sets offered by an initiative such as HackerOne can only help make their company products more secure. Another aim of the live-hacking event was to increase awareness of rewards for ethical hacking.

HackerOne has organized over 1300 such events since it’s inception in 2012. Bounties totaling $49 million have been paid out to its members. The company is proud to boast a community of more than 390 000 registered hackers. It has previously worked with the Singaporean Ministry of Defense to make their systems more secure.

CEO Marten Mickos is hopeful of hitting $100 million in bounties by the end of 2020. He also hopes to have a community in excess of a million hackers by that time frame as well. This would have allowed the company to have helped clients expose and fix more than 200 000 vulnerabilities. Of those 200 thousand, Mickos estimates that 16000 would have been critical bugs.

Mickos was quick to stress that HackerOne is not a security consulting firm. It is a platform that allows ethical hackers the chance to earn money and help the wider tech ecosystem. There is space for his company alongside dedicated security consultancies and corporate in-house security teams. Security consultants, he says, would be hired to focus on a specific aspect of security or to break a certain part of the platform of a tech company. The role of HackerOne members, on the other hand, is given as wide a spread of problems that might not be caught using a specialized service. He points to the number of vulnerabilities found for Dropbox as a prime example.

Mickos further went on to explain that, companies themselves decide on bounty size, with HackerOne receiving a commission. The record for a one-day event such as the Dropbox one is $400 000. He goes on to say that multi-day events can easily see bounties in excess of $500 000.